CVE-2013-0431
Published: 31 January 2013
Summary
CVE-2013-0431 is a medium-severity Protection Mechanism Failure (CWE-693) vulnerability in Oracle Jre. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability is an unspecified flaw in the Java Runtime Environment component of Oracle Java SE 7 through Update 11 and OpenJDK 7. It is tracked as Issue 52 and is distinct from CVE-2013-1490. The issue resides in JMX-related code and permits bypass of the Java security sandbox.
User-assisted remote attackers can exploit the flaw over the network to circumvent sandbox restrictions and obtain limited unauthorized access to sensitive information. The CVSS 3.1 score of 5.3 reflects network attack vector, low complexity, and no required privileges or user interaction for the confidentiality impact. No mitigation details or patch guidance are provided in the available references, and no information on observed exploitation is supplied.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0442
Vulnerability details
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a…
more
different vulnerability than CVE-2013-1490.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the Java security sandbox that CVE-2013-0431 bypasses via JMX vectors.
Restricts usage and implementation of mobile code technologies such as Java applets/JMX that the sandbox bypass targets.
Enforces information flow rules inside the JRE sandbox that the JMX flaw circumvents to leak data.